New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Authentication object structure #233
Comments
See also jmix-projects/jmix-security#117 |
Role names are stored as strings in the Authentication object; RoleGrantedAuthorityUtils class must be used for role granted authorities creation; BaseRoleRepository inheritance is replaced by delegating to new RoleRepositoryProviderUtils; Spring cache is used for resource and row-level roles; Add jmix-security-starter to build.gradle in project templates;
Implementation detailsPreviously, the Now we store just role names in the To create an instance of granted authority for resource or row-level role a
A prefix for resource role authority may be set using standard spring mechanism: by the A prefix for row-level role authority may be set using the The fact that Authentication now only stores role names makes us request role policies each time we need to check any grant. Because of this RowLevelRepository and ResourceRoleRepository now use roles cache. Roles cache is cleared when any role is updated in the database (using views for runtime roles editing) or when annotated role is hot-deployed.
Breaking ChangesA jmix-security-starter must be added to build.gradle of existing project. This is required because the
Jmix Studio issue for adding the starter on project migration: https://youtrack.jmix.io/issue/JST-4328 A |
For QA. Do the smoke test of security:
|
|
Reopened
|
OIDC issue fixed in commit aedef92 |
Currently, authentication objects represent a complex object structure.
The object structure contains:
Possible problems due to the given structure of objects:
Solution:
Store only role names on an authentication object. This will solve the problems described above.
The authorization process should load resource/row level roles from the in-memory cache (for performance reasons) by their names and checks permissions for objects by roles from cache.
The text was updated successfully, but these errors were encountered: